A lot of questions about CERT, PKA and make-dns-cert
Dan Mahoney, System Admin
danm at prime.gushi.org
Wed Oct 21 11:44:55 CEST 2009
On Wed, 21 Oct 2009, David Shaw wrote:
> You didn't give an actual version number (run gpg2 --version), so I can only
> make an educated guess, but I do think I see your problem. You don't have
> one key in your CERT - you have two (309C17C5 and 624BB249) combined into one
> DNS record. That doesn't work - it's a one-name-one-key mapping. We should
> give a better error message in this case.
Aah, yes, there we go. Now it seems to work on all my systems. For some
reason I assumed --export would just pick one key to match on, just as
--delete-keys does. Note there's still a secondary key, hence my
So far, the commands for a PGP CERT are:
gpg --list-keys gushi at gushi.org
(read, get key id)
gpg2 --export --export-options export-clean > keyid.pub.bin
gpg2 --export --export-options export-minimal > keyid.pub.bin
make-dns-cert -k keyid.pub.bin -n gushi.gushi.org. > keyid.dnscert
The commands for an IPGP cert are:
gpg --list-keys you at you.com
Choose your keyid from the above.
gpg2 --export --armor keyid > keyid.pub.asc
copy the ascii file somewhere where it's url accessable.
Manually copy/paste your fingerprint into the next command:
make-dns-cert -n gushi.gushi.org. -u url format (which?) -f fingerprint >keyid.dnscert
Then, publish one (and only one) CERT record in dns per-label. In my
case this also means signing the zone and all that.
Finally, for an _PKA record, it involves manually:
user at domain.com becomes user._pka.domain.com.
Get your keyid as above.
1) Export to a uri as for IPGP cert, above (presumably, it can be the same
Strip your fingerprint like so:
2) gpg --fingerprint keyid | grep "Key fingerprint" | cut -d "=" -f 2 |
sed 's/ *//g'
The format of the text record is simple:
you._pka.domain.com. IN TXT "v=pka1;fpr=[#1];uri=[#2]"
Where the values are substituted from the steps above.
Publish this in DNS.
Test using: dig you._pka.domain.com TXT, see if you get a result.
Test with a GPG client that doesn't otherwise have the key:
echo "foo" | gpg --auto-key-locate pka --armor --encrypt -r you at domain.com
and see if you get an output.
So here's the laundry list:
0) Do the above look mostly-right?
1) What are the best options for exporting certs for a CERT record? For a
uri-styled record? (i.e. which signatures do you want to include?)
2) Do either the pka or the IPGP standards require the key to be in
3) What's the "sanctioned" list of uri formats? Where is it defined for
CERT? For PKA?
4) As I'm not a c-coder, how difficult would it be to have the
make-dns-cert output in base64 instead of binary?
5) How solid is the output of --fingerprint? Is it likely to change
between versions, or are the grep and sed listed likely to work most
6) How difficult would it be to get the cert-export functions right into
7) How difficult would it be to get make-dns-cert built-by-default?
8) (asked previously) Is it worth filing a bug on not being able to
specify multiple keyservers for auto-key-locate?
9) (also previously) Is it worth filing a bug to not have auto-key-locate
vomit on unsupported methods?
With the answers to the above, I'll write up a nice howto doc including
the prereqs for all the above, the DNS requirements, and the like.
"It's three o'clock in the morning. It's too late for 'oops'. After
Locate Updates, don't even go there."
January 3, 2k
Indeed, sometime after 3AM
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
More information about the Gnupg-users